arrowrat | a44158be4e5c309a426ee067132a3c82eaf700447253e7830fec9f5ce5262819 | Triage

Submit
Reports

Overview

overview

Static

static

PandorahVN...xed.7z

windows10-2004-x64

Sharing

General

Target

PandorahVNC 1.8.6 Fixed.7z
Size

20.4MB
Sample

231016-wka58ada69
MD5

88a7c76d46b12ae9eaec77f920ce3e72
SHA1

8a57a3e2051db48dfe3081aca15fdc772a64ff7e
SHA256

a44158be4e5c309a426ee067132a3c82eaf700447253e7830fec9f5ce5262819
SHA512

6668bcd2c1d52bbe2b275d0f5138c01091e4df4b955e6dd94629e91d6ef120045c7bcb2257e12c8c5b2a4e27f9636a6cd1b3c78c17ad961f1d3f8b49715490e4
SSDEEP

393216:inxj4RQKNpOXrqYkbUlLEsumc9zMk2AedKDRwG/Yj5GtQKN4xlB:GmRQypOuYRFwmcx2A4UAj5GZA

Score

10^/10

arrowrat #groupname#client persistence rat

Static task

static1

#groupname#arrowrat

2 signatures

Behavioral task

behavioral1

Sample

PandorahVNC 1.8.6 Fixed.7z

Resource

win10v2004-20230915-en

arrowrat #groupname#client persistence rat

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

#GroupName#

C2

#IP#:#PORT#

Mutex

#Mutex#

Extracted

Family

arrowrat

Botnet

Client

C2

127.0.0.1:1337

Mutex

sZHtwFBDY

Targets

- Target
  
  PandorahVNC 1.8.6 Fixed.7z
- Size
  
  20.4MB
- MD5
  
  88a7c76d46b12ae9eaec77f920ce3e72
- SHA1
  
  8a57a3e2051db48dfe3081aca15fdc772a64ff7e
- SHA256
  
  a44158be4e5c309a426ee067132a3c82eaf700447253e7830fec9f5ce5262819
- SHA512
  
  6668bcd2c1d52bbe2b275d0f5138c01091e4df4b955e6dd94629e91d6ef120045c7bcb2257e12c8c5b2a4e27f9636a6cd1b3c78c17ad961f1d3f8b49715490e4
- SSDEEP
  
  393216:inxj4RQKNpOXrqYkbUlLEsumc9zMk2AedKDRwG/Yj5GtQKN4xlB:GmRQypOuYRFwmcx2A4UAj5GZA
Score

10^/10

arrowrat #groupname#client persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

#groupname#arrowrat

behavioral1

arrowrat#groupname#clientpersistencerat

© 2018-2024

Terms | Privacy